| Author |
Topic: OpenSSL -- OCSP |
|
X509
member
offline  |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
 |
|
|
| OpenSSL -- OCSP |
openSSL Installation
========================
1. Go to https://slproweb.com/products/Win32OpenSSL.html
2. Download: Win64OpenSSL-3_4_0.exe
3. Run Win64OpenSSL-3_4_0.exe to install openSSL in the folder: C:\Program Files\OpenSSL-Win64
4. Add 'C:\Program Files\OpenSSL-Win64\bin' into PATH so that openSSL.exe can be located
C:\OpenSSL>openssl --version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)
|
|
|
|
|
|
|
X509
member
offline  |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Configure OCSP Eextension |
Copy C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf to C:\OpenSSL\myCA. Add the following contents:
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://127.0.0.1:2560
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
Note: default dir "demoCA" --> "myCA"
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Root CA |
Since root CA is always a Self-Signed certificate. There is no need to going through the CSR and signing processes. All above can be combined as one:
C:\OpenSSL>openssl req -x509 -sha256 -days 3650 -newkey rsa:2048
-keyout myCA/rootCA.key.pem -out myCA/rootCA.crt.pem
-extensions v3_ca -config myCA/openssl.cnf
Display the certificate:
C:\OpenSSL>openssl x509 -in myCA/rootCA.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
16:b9:8f:08:4f:1f:75:80:1b:49:ff:90:6f:f6:84:65:fb:e9:56:f1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Aug 24 00:47:06 2024 GMT
Not After : Aug 22 00:47:06 2034 GMT
Subject: C=US, O=MyCA, OU=Dev, CN=rootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9b:65:ef:a2:40:5a:7a:8b:a2:fb:33:8b:0e:61:
...
5c:1e:84:aa:84:66:cd:66:2f:d8:02:c2:4a:f4:16:
17:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
48:d6:77:91:3f:60:0b:1f:14:63:90:ae:12:d4:d5:7a:0c:7d:
d3:94:e4:f3:8a:5d:2c:18:03:dd:c7:99:e2:2d:d9:3c:34:5d:
...
a9:21:c9:82
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Generate a CA-signed certificate -- Any server |
Step 1. Generate private key
C:\OpenSSL>openssl genrsa -aes256 -out myCA/myCompany.com.key.pem 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Step 2. Generate certificate request
C:\OpenSSL>openssl req -new -sha256 -key myCA/myCompany.com.key.pem
-out myCA/myCompany.com.csr.pem
Enter pass phrase for myCA/myCompany.com.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:myCompany.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Step 3. Sign the CSR
C:\OpenSSL>openssl x509 -req
-in myCA/myCompany.com.csr.pem -CA myCA/rootCA.crt.pem -CAkey myCA/rootCA.key.pem
-out myCA/myCompany.com.crt.pem -days 2400
Certificate request self-signature ok
subject=C=US, CN=myCompany.com
Enter pass phrase for myCA/rootCA.key.pem:
Display/Verify the certificate
C:\OpenSSL>openssl x509 -in myCA/myCompany.com.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:48:d0:c2:7f:9a:84:ce:db:53:8b:c3:5c:14:4f:a7:31:98:fd:22
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Aug 24 01:32:35 2024 GMT
Not After : Mar 21 01:32:35 2031 GMT
Subject: C=US, CN=myCompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:e0:b9:66:07:2d:56:3f:37:89:2e:85:aa:d4:
...
c1:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
6A:1D:E7:98:B2:86:F8:CB:24:1E:D2:F5:FA:EC:34:0F:E7:0E:47:63
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
99:aa:d8:67:31:59:4b:4d:57:83:e8:ab:f2:98:1d:64:80:43:
...
66:c3:65:2a
Step 4. Convert Priavte Key and PEM into PKCS12 or JKS keystore
Concatenate all public certificate *.PEM files (intermediate CA) into one PEM file, if any
Then create keystore in PKCS12 format with private key
C:\OpenSSL>openssl pkcs12 -export -inkey myCA/myCompany.com.key.pem
-in myCA/myCompany.com.crt.pem
-name alias_name -out myCA/myServer.p12
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Generate an OCSP signing certificate -- OCSP server |
In order to host an OCSP server, an OCSP signing certificate must be generated. Otherwise, the OCSP server could not be able to sign the OCSP response.
Step 3. Sign the CSR using v3_OCSP extension
C:\OpenSSL>openssl x509 -req
-in myCA/myCompany.com.csr.pem -CA myCA/rootCA.crt.pem -CAkey myCA/rootCA.key.pem
-out myCA/ocsp.myCompany.com.crt.pem -days 2400 -extensions v3_OCSP -extfile myCA/openssl.cnf
Certificate request self-signature ok
subject=C=US, CN=myCompany.com
Enter pass phrase for myCA/rootCA.key.pem:<secret>
Display/Verify Certificate
C:\OpenSSL>openssl x509 -in myCA/ocsp.myCompany.com.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:b4:bf:83:42:09:d0:4f:c2:42:83:38:c7:10:95:ac:ab:eb:33:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Dec 6 04:44:58 2024 GMT
Not After : Jul 3 04:44:58 2031 GMT
Subject: C=US, CN=myCompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:e0:b9:66:07:2d:56:3f:37:89:2e:85:aa:d4:
...
c1:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:
6A:1D:E7:98:B2:86:F8:CB:24:1E:D2:F5:FA:EC:34:0F:E7:0E:47:63
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8a:68:34:09:d8:a0:df:b9:68:d9:83:e1:96:40:2b:47:e7:c5:
...
9f:94:d7:67
Step 4. Then start an OCSP Server with the OCSP-Signing Certificate
C:\OpenSSL>openssl ocsp -host 127.0.0.1 -port 2560
-rkey myCA/myCompany.com.key.pem -rsigner myCA/ocsp.myCompany.com.crt.pem -CA myCA/rootCA.crt.pem
-index myCA/index.txt -text -out log.txt
ACCEPT [::]:2560 PID=51080
Enter pass phrase for myCA/myCompany.com.key.pem:<secret>
ocsp: waiting for OCSP client connections...
Verify that OCSP server is running by NetStat:
C:\>netstat -ano | findstr 2560
TCP 0.0.0.0:2560 0.0.0.0:0 LISTENING 51080
TCP [::]:2560 [::]:0 LISTENING 51080
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Create a user certificate AND register it in CA database |
In order to check a certificate against the OCSP server, an end user's certificate with AIA (Authority Information Access) extension should be created first.
Step 1. Generate the end user's private key:
C:\OpenSSL>openssl genrsa -aes256 -out myCA/user.key.pem 2048
Enter PEM pass phrase:<secret>
Verifying - Enter PEM pass phrase:<secret>
Step 2. Generate certificate request:
C:\OpenSSL>openssl req -new -sha256 -key myCA/user.key.pem -out myCA/user.csr.pem
-passin pass:<secret> -subj "/C=US/CN=User"
Step 3. Sign the CSR & add the signed CRT into the CA database:
Instead of using X509 to sign the CSR, use CA here to sign and register it.
The following file or folder MUST be present first:
A empty file 'myCA/index.txt'
A file 'myCA/serial' with content 01
A empty folder 'myCA/newcerts''
C:\OpenSSL>openssl ca -batch
-config myCA/openssl.cnf -policy policy_anything -passin pass:<secret>
-cert myCA/rootCA.crt.pem -keyfile myCA/rootCA.key.pem
-out myCA/user.crt.pem -days 3650
-extensions usr_cert -infiles myCA/user.csr.pem
Write out database with 1 new entries
Database updated
Note:
Database 'myCA/index.txt' should have been updated
'myCA/serial' should be incremented
'01.pem' certificate should be added under the folder 'myCA/newcerts''
Display/Verify the certificate
C:\OpenSSL>openssl x509 -in myCA/user.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
32:0a:99:88:1f:e6:a6:15:0a:48:17:51:f7:1d:01:a6:2e:54:25:7b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Dec 6 04:14:02 2024 GMT
Not After : Dec 6 04:14:02 2025 GMT
Subject: C=US, ST=CA, L=SF, O=Internet Widgits Pty Ltd, CN=user
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:9d:3f:c9:ab:1a:86:61:b5:eb:99:f4:79:0d:
...
c4:c0:c0:11:58:fc:1d:2b:1d:09:99:c4:40:7e:c0:
23:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
27:C7:47:BA:AB:D9:C7:86:E3:C6:3D:D5:DA:08:D3:92:33:CB:8F:70
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
Authority Information Access:
OCSP - URI:http://127.0.0.1:2560
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
26:84:e4:77:ba:17:87:3f:3d:57:94:08:2d:15:18:e6:e4:96:
...
1e:e1:53:2f
Step 4. Convert private key and public cert into PKCS12 store--.p12
C:\OpenSSL>openssl pkcs12 -export -inkey myCA/user.key.pem -in myCA/user.crt.pem
-name alias_name -out myCA/user_ocsp_extension.p12
Enter pass phrase for myCA/user.key.pem:<secret>
Enter Export Password:<secret>
Verifying - Enter Export Password:<secret>
Note: .p12 keystore is widely used in Java application with the given example's settings keystore=myCA/user_ocsp_extension.p12
type=PKCS12
password=<secret>
alias=alias_name
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Running an OCSP Client to Check Certificate's Status |
C:\OpenSSL>openssl ocsp -CAfile myCA/rootCA.crt.pem -url http://127.0.0.1:2560 -issuer myCA/rootCA.crt.pem
-cert myCA/user.crt.pem -resp_text
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, CN = myCompany.com
Produced At: Dec 6 05:20:07 2024 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: CEC9DF5A3CEF1C457A8F61ECEBE4555CAA0409D0
Issuer Key Hash: E7868EDA3FBA67A5CC00AF7C256778808CA30891
Serial Number: 320A99881FE6A6150A481751F71D01A62E54257B
Cert Status: good
This Update: Dec 6 05:20:07 2024 GMT
Response Extensions:
OCSP Nonce:
04107C541DA3EBA8A52E21B21A5A567F1618
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1e:86:14:38:7a:2e:3f:32:99:12:5b:c8:8e:a5:39:9a:41:d7:
a5:3d:42:29
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:b4:bf:83:42:09:d0:4f:c2:42:83:38:c7:10:95:ac:ab:eb:33:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Dec 6 04:44:58 2024 GMT
Not After : Jul 3 04:44:58 2031 GMT
Subject: C=US, CN=myCompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:e0:b9:66:07:2d:56:3f:37:89:2e:85:aa:d4:
c1:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:
6A:1D:E7:98:B2:86:F8:CB:24:1E:D2:F5:FA:EC:34:0F:E7:0E:47:63
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8a:68:34:09:d8:a0:df:b9:68:d9:83:e1:96:40:2b:47:e7:c5:
9f:94:d7:67
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIUCrS/g0IJ0E/CQoM4xxCVrKvrM64wDQYJKoZIhvcNAQEL
...
HmakuecOkL397KnJlp3JX0J+EOXX+RpdMJL/N/ibbfBViYLrEBRzBH1eVyHdn5TX
Zw==
-----END CERTIFICATE-----
Response verify OK
myCA/user.crt.pem: good
This Update: Dec 6 05:20:07 2024 GMT
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Revoke Certificate |
C:\OpenSSL>openssl ca -keyfile myCA/rootCA.key.pem -cert myCA/rootCA.crt.pem
-revoke myCA/user.crt.pem -config myCA/openssl.cnf
Using configuration from myCA/openssl.cnf
Enter pass phrase for myCA/rootCA.key.pem:<secret>
Adding Entry with serial number 320A99881FE6A6150A481751F71D01A62E54257B to DB for /C=US/ST=CA/L=SF/O=Internet Widgits Pty Ltd/CN=user
Revoking Certificate 320A99881FE6A6150A481751F71D01A62E54257B.
Database updated
Note:
myCA/index.txt has been updated.
|
|
|
|
|
|
|
X509
member
offline |
| |
| posts: |
33 |
| joined: |
05/01/2007 |
| from: |
MS |
|
|
|
|
|
| Running an OCSP Client to Check a Revoked Certificate's Status |
C:\OpenSSL>openssl ocsp -CAfile myCA/rootCA.crt.pem -url http://127.0.0.1:2560 -issuer myCA/rootCA.crt.pem -cert myCA/user.crt.pem -resp_text
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, CN = myCompany.com
Produced At: Dec 6 05:41:04 2024 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: CEC9DF5A3CEF1C457A8F61ECEBE4555CAA0409D0
Issuer Key Hash: E7868EDA3FBA67A5CC00AF7C256778808CA30891
Serial Number: 320A99881FE6A6150A481751F71D01A62E54257B
Cert Status: revoked
Revocation Time: Dec 6 05:37:26 2024 GMT
This Update: Dec 6 05:41:04 2024 GMT
Response Extensions:
OCSP Nonce:
0410D3FADA33867929701F6AE10A65394441
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6c:37:a7:4c:aa:79:3d:4e:fe:06:d0:f4:d0:c3:22:68:a2:4a:
96:4f:95:1c
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:b4:bf:83:42:09:d0:4f:c2:42:83:38:c7:10:95:ac:ab:eb:33:ae
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=MyCA, OU=Dev, CN=rootCA
Validity
Not Before: Dec 6 04:44:58 2024 GMT
Not After : Jul 3 04:44:58 2031 GMT
Subject: C=US, CN=myCompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:e0:b9:66:07:2d:56:3f:37:89:2e:85:aa:d4:
91:92:50:75:97:3d:9f:fc:5b:ee:7d:50:3b:d5:0b:
c1:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:
6A:1D:E7:98:B2:86:F8:CB:24:1E:D2:F5:FA:EC:34:0F:E7:0E:47:63
X509v3 Authority Key Identifier:
E7:86:8E:DA:3F:BA:67:A5:CC:00:AF:7C:25:67:78:80:8C:A3:08:91
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8a:68:34:09:d8:a0:df:b9:68:d9:83:e1:96:40:2b:47:e7:c5:
9f:94:d7:67
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIUCrS/g0IJ0E/CQoM4xxCVrKvrM64wDQYJKoZIhvcNAQEL
...
HmakuecOkL397KnJlp3JX0J+EOXX+RpdMJL/N/ibbfBViYLrEBRzBH1eVyHdn5TX
Zw==
-----END CERTIFICATE-----
Response verify OK
myCA/user.crt.pem: revoked
This Update: Dec 6 05:41:04 2024 GMT
Revocation Time: Dec 6 05:37:26 2024 GMT
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 08/24/2024 12:27:15 AM
Edit
Quote
Report
Profile
Reply